Whistleblowing is often in the news. It is seen as an important protection against corporate malpractice and poor governance, for instance of the Enron kind in the US or of the National Health Service kind in the UK. Governments say that the whistleblower is to be encouraged and protected, unless, of course, State secrets are involved. Hotlines are now established as a crucial facilitating tool in the whistleblowing process. For US companies of a certain size hotlines are required under Sarbanes Oxley and Dodd Frank and in the EU they are increasingly used (but not required).
Implementing a whistleblowing hotline policy across EU Member States is a challenge for the cross border employer. Whistleblowing often involves sharing personal data with a third party in confidence and Europe is very sensitive to the use of personal data without a person’s knowledge and consent (hardly surprising, given its long history of religious and political persecution). As a result the 1995 European Data Protection Directive established an EU wide regime for protecting the personal data of individuals. As is normal with such directives, each EU state was free to implement the principles in its own way. The international EU employer therefore has to deal with data protection rules (and hotline requirements) that vary from EU state to EU state.
In addition to data protection rules, employers must bear in mind a range of other issues that vary depending on the jurisdiction of the hotline. For example, the defamatory effects of a false allegation made in bad faith to a hotline could be different depending on the jurisdiction of the parties involved and the country where the employer is incorporated – in some European jurisdictions (e.g. France), defamation comes under the criminal, not the civil, code.
International companies therefore need to plan carefully before rolling out a standard whistleblowing protocol to EU based subsidiaries. Companies should carry out a specific analysis for each operating country including, where necessary, approaching the local Data Protection Authority (DPA) to clarify any uncertainties. We set out below some of the matters that hotline operators should consider when analysing local requirements within the European Union.
Notification and DPA Approval: Inside and Outside the EEA
EU Member States usually require that companies operating whistleblowing hotlines within their territory notify the applicable DPA. Some Member States require DPA authorisation before a hotline can be implemented.
If the operation of the hotline is likely to involve certain categories of personal data classified as “sensitive” or “special”, prior authorisation may be required from multiple authorities. These categories of data are usually related to racial or ethnic origin, health, religious or political opinions and criminal records. However, the classifications vary among the EU Member States and care must be taken to ensure that the type of information that will potentially be disclosed via hotline is correctly defined and treated accordingly.
If companies intend to export hotline reports containing personal data to entities located outside the European Economic Area (EEA), even if the recipient company is part of the same group, the exporting company must seek explicit prior authorisation from its DPA. A number of Member States prohibit the cross-border transfer of personal data outside of the EEA, unless the receiving country’s own data protection law ensures an “adequate level of protection”. While this may sound like a low hurdle to overcome , it has been interpreted fairly narrowly and thus transferring personal data outside the EEA can be difficult. Failure to notify the competent DPA can be considered a criminal offence.
Know your Subject Matter
Certain European countries make a distinction between issues that are allowed to be processed via whistleblowing hotlines and those that are not. The general principle is that trivial issues must be dealt by the employee’s direct managers or HR departments through ordinary reporting channels, while only more serious issues may be reported via hotline. In France, for instance, the DPA may not authorize a hotline to deal with any issue that is not related to accounting, financials, anti-trust or anti-corruption.
Apart from the DPA authorisation, some countries also require that Works Councils be informed and consulted prior to the implementation by a company of any hotline.
Employees’ Approval to Comply with Hotline Procedures
Some EU countries also require employees’ approval in order to implement a whistleblowing hotline. This type of approval is particularly important if the company intends to transfer the data outside the operating country. The approval can be required even if the data is going to be transferred to another group company located within the EEA.
The process of getting approval from all employees can be a great concern for companies, especially for those with a high employee turnover. The employees consent must be genuinely ‘free’ for data protection purposes. For example, offers of work or promotion that may be linked to an employer’s desire to attain consent can result in the consent being regarded as invalid. Explicit written consent should be considered best practice and, depending on the jurisdiction, may be absolutely necessary.
Training the Controllers
Another important action for the international employer to address is the training of those employees responsible for processing hotline data (the ‘data controllers’). The training policies and procedures must ensure compliance with the current applicable data protection laws in the countries where they intend to implement hotline schemes.
State by State
A whistleblowing hotline can be a valuable tool for protecting businesses against malpractice and poor governance and showing the company’s dedication to proper compliance. For US companies of a certain size it is a requirement of law. However, employers operating across a number of EU Member States need to take care before implementing a universal protocol across all their EU jurisdictions. Hotlines, their implementation and the training in their use should be considered individually in each jurisdiction.